Description
On October 20, 2020, Ben Hawkes of Google’s Project Zero warned Chrome users that Google had observed active exploitation of a zero-day in Chrome’s implementation of FreeType, a popular open-source font rendering library. As of October 20, the Chrome team has a new release out that includes a fix for the zero-day vulnerability, which is listed as a heap buffer overflow.
Rapid7 analysis
Like many zero-days, CVE-2020-15999 is an active threat. While Google itself rarely releases in-depth technical information on recent zero-day vulnerabilities in its software, FreeType’s bug tracker and source code are public and include details on the vulnerability’s fix, which greatly simplifies attacker efforts to reverse engineer the zero-day and accelerate exploit development.
Guidance
Upgrade Google Chrome to the latest stable version (86.0.4240.111) as quickly as possible. See Google’s advisory for further details.
While the zero-day (exploit) disclosed in the advisory is specific to Google Chrome, other FreeType implementations may also be affected by CVE-2020-15999, and FreeType users are strongly advised to upgrade to the latest stable version. See FreeType’s bug tracker for further information.
